https://serversforhackers.com/c/letsencrypt-with-haproxy

https://tecadmin.net/how-to-setup-haproxy-load-balancing-on-ubuntu-linuxmint/

• root@ecsweb:~# cat /etc/haproxy/haproxy.cfg
• global
• log /dev/log local0
• log /dev/log local1 notice
• chroot /var/lib/haproxy
• stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
• stats timeout 30s
• user haproxy
• group haproxy
• daemon
• # Default SSL material locations
• ca-base /etc/ssl/certs
• crt-base /etc/ssl/private
• # Default ciphers to use on SSL-enabled listening sockets.
• # For more information, see ciphers(1SSL). This list is from:
• # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
• # An alternative list with additional directives can be obtained from
• # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
• ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
• ssl-default-bind-options no-sslv3
• defaults
• log global
• mode http
• option httplog
• option dontlognull
• timeout connect 5000
• timeout client 50000
• timeout server 50000
• errorfile 400 /etc/haproxy/errors/400.http
• errorfile 403 /etc/haproxy/errors/403.http
• errorfile 408 /etc/haproxy/errors/408.http
• errorfile 500 /etc/haproxy/errors/500.http
• errorfile 502 /etc/haproxy/errors/502.http
• errorfile 503 /etc/haproxy/errors/503.http
• errorfile 504 /etc/haproxy/errors/504.http
• # If it detects a LetsEncrypt request, is uses the LE backend
• frontend ft_http
• bind :80
• mode http
• default_backend bk_http
• frontend ft_https
• bind :443
• mode tcp
• default_backend bk_https
• # This is our new config that listens on port 443 for SSL connections
• # bind *:443 ssl crt /etc/ssl/ecsweb.bdcom.com.bd/ecsweb.bdcom.com.bd.pem
• # Redirect if HTTPS is *not* used
• redirect scheme https code 301 if !{ ssl_fc }
• # Test URI to see if its a letsencrypt request
• # acl letsencrypt-acl path_beg /.well-known/acme-challenge/
• # use_backend letsencrypt-backend if letsencrypt-acl
• ## default_backend be-scalinglaravel
• ##backend be-scalinglaravel
• ## balance roundrobin
• option forwardfor
• http-request set-header X-Forwarded-Port %[dst_port]
• http-request add-header X-Forwarded-Proto https if { ssl_fc }
• backend bk_http
• mode http
• balance roundrobin
• #stick on src table bk_https
• default-server inter 1s
• server ecs.gov.bd ecs.gov.bd:80 check id 1
• server ecs.bdcom.com.bd ecs.bdcom.com.bd:80 check id 2
• #server ecsww.bdcom.com.bd ecsww.bdcom.com.bd:80 check id 3
• #server dns2.bdcom.com dns2.bdcom.com:80 check id 3
• backend bk_https
• mode tcp
• balance roundrobin
• stick-table type ip size 200k expire 30m
• stick on src
• default-server inter 1s
• # server ecsweb.bdcom.com.bd ecsweb.bdcom.com.bd:443 check ssl verify none
• #server prohostnms.bdcom.net prohostnms.bdcom.net:443 check ssl verify none
• # for 8181 haproxy panel
• listen stats
• bind *:8181
• stats enable
• stats uri /
• stats realm Haproxy\ Statistics
• stats auth admin:bdc0m987
• #backend letsencrypt-backend
• # server letsencrypt 127.0.0.1:8888

Haproxy ACL